The recent Log4J exploit not only forced companies to address compromised applications but to reexamine their whole approach to security and how to prepare themselves for future attacks. Log4J woke many businesses up to the importance of responding rapidly to announced open-source security patches. The severity of the threat pushed the open-source community into fast action, something that often isn’t seen with less-publicized exploits.
Unfortunately, Log4J is a symptom of a bigger problem — it’s not just a pandemic playing itself out, but rather an endemic situation much like COVID is now proving to be with its variants. If nothing else, we can be sure there will be many exploits well beyond Log4J as companies keep using open-source software.
Why is Open-Source Software Risky?
Open-source software, like Java, is used in practically every organization for good reason. It’s free and popular with developers because they don’t have to reinvent the wheel for standard processes. Instead, they can take a piece of code that already works and build on top of it to create their applications. The problem is, if the code is freely available for developers, it’s also available for attackers.
Attackers analyze open-source software for vulnerabilities that they can exploit to gain access to intellectual property or customer data of companies that have used the same code. The good news is: that the open-source community is typically pretty active and patches vulnerabilities often. The bad news is: that companies who use open-source software need to proactively patch or update the software themselves. Attackers are counting on the fact that some companies, especially small and medium-sized businesses (SMBs), don’t have the in-house resources to do this in a timely manner.
Once an attacker has discovered a vulnerability, they exploit that code to hide all sorts of bad actions or “sleeper cells” in a victim’s network and gather information until they’re ready to act. Attackers targeting a business may lie and wait for weeks (Colonial Pipeline) or months (SolarWinds) until they — based on the data they extracted — know the ransomware attack will have the greatest effect, such as in advance of an earnings call or product launch or another timely event. This way, the company is more likely to pay the ransom immediately. Sleeper cells make it easier for bad actors to initiate attacks when they have the most impact and leverage for a ransom payment.
Where Do the Problems Lie?
There are new initiatives from large tech companies looking to solve the problem of open-source software vulnerabilities. For example, Google has pledged $100 million to groups focused on improving open-source security. The Cybersecurity and Infrastructure Security Agency (CISA) is working with federal agencies to renew an initiative for the use of a software bill of materials (SBOM). This is an ingredient list for tech systems that organizations can consult when a new bug is discovered. By checking with the SBOM, they can see if vulnerable software needs to be patched. But companies also have to take responsibility for their security.
Yet, companies tend to struggle with cybersecurity hygiene because they don’t have the resources in place to maintain security protocols and regularly update software patches. Plus, they often rely on third-party software, leaving them open to both their vulnerabilities built on top of open-source vulnerabilities. The average total cost of a data breach is $4.24 million, and costs are higher for organizations that “lag in areas such as security AI and automation, zero trust, and cloud security.” SMBs are hit particularly hard because they don’t have the same security resources as enterprises, so they’re likely to pay higher costs associated with breaches.
According to a recent SBA survey, 88% of small business owners felt their business was vulnerable to a cyber-attack. And it’s not surprising that small and medium businesses feel like they’re at risk because the Fortune 500 enterprises have big IT and security staffs, and the SMBs have small or nonexistent security teams. The hackers know that and prey upon the easier targets, so SMBs are extremely vulnerable.
How to Mitigate Vulnerabilities from Open-Source Software?
To protect themselves from vulnerabilities in open-source software, all organizations have to make cybersecurity a priority in their organization and dedicate resources to it. They don’t have to hire an in-house cybersecurity team, but they have to ensure someone is responsible for handling their security. It’s important to have at least one allocated person that regularly checks software for available patches and updates for known breaches. Organizations should consider hiring penetration testers to try and hack their network to find vulnerabilities before bad actors discover them. Regular vulnerability scans can also highlight issues before an attacker exploits them, and managed service offerings can take much of the burden off the SMBs themselves.
For companies building their applications using open-source software, penetration testing and code audits have to be a part of the process before making the applications publicly available. And once they know about vulnerabilities, they need to refactor those applications to harden them and minimize the attack surface.
How Organizations Can Get the Technical Resources They Need
All companies need dedicated security personnel watching their network, but as mentioned above, it’s not always realistic to hire those resources in-house, particularly for SMBs. Recent data from Cyberseek shows there are almost 600,000 unfilled cybersecurity jobs in the U.S. To tighten cloud security vulnerabilities and protect sensitive digital assets, companies must engage outside security experts to audit their security profile, fix immediate issues, and maintain ongoing protections. There aren’t enough resources available for all companies to do it in-house.
This is why many organizations have decided to outsource their security to managed service professionals that can offer the exact cloud security protection required. Of course, there are risks if the right provider is not selected. When picking a provider, businesses should focus on outsourcers with high-quality standards that offer top skills, senior people, and have a proven track record.
Log4J may have been the most recent catalyst, but companies will continue to suffer from open-source vulnerabilities until they take an active role in their cybersecurity. Open-source software isn’t going away; in fact, it’s becoming more and more popular; however, businesses need to be able to protect themselves against open-source exploits with frequent patching and vulnerability scans. Until they have designated security staff, businesses will always remain victims to the next vulnerability open-source attackers find.